Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Microsoft: Insecure, as Always

The cost of the company's doctrine of "features first" is becoming too great.

Microsofts corporate vice president for the Windows client, Tom Button, told this months WinHEC attendees in Seattle that the company recognized its need to "nail the fundamentals." Coming in a week when Sasser infections were spreading around the world, Buttons declaration was ironic and his choice of verb unfortunate. His remarks may have triggered graphic images in the minds of frustrated users and IT managers, as they perhaps envisioned nailing the hides of the architects of Windows to the nearest available wall.

In most of the previous high-profile IT security incidents, one could argue the burden was on IT buyers to warn their users against the hazards of opening attachments, let alone downloading software of doubtful provenance. The Sasser worm—family of worms, to be more precise—has awakened a new and more incendiary anger by attacking systems without any aid from their unwitting users.

Sasser compounded the insult, moreover, by attacking through a loophole in a piece of code—the Local Security Authority Subsystem Service—thats actually supposed to be managing security functions on users machines. Worst of all, Sasser advertised the emperors nakedness by using a form of exploit—the buffer overflow—that has been discussed in theory for almost 50 years and has been known in practice since the early 1970s. So much for reviewing and fixing old code before writing new.

Buttons WinHEC speech went on to lament, with breathtaking lack of tact, the slow pace of Windows 9x users migration to Windows XP. "Most of the opportunity here," he said, "is not about selling a retail copy of Windows XP onto an old piece of hardware; its really about helping people understand the benefits of moving onto a new PC or of adding a new PC to their lives." When users of Windows 2000 and XP are frantically patching their machines, while users of the aging Windows 9x look on in sympathy but with far less need to worry, those benefits may be difficult to discern.

And when Sun is sitting in the lobby, ready to offer a flat rate of $100 per employee per year for a productivity solution that is not an ongoing security nightmare, the word for Microsofts situation may not be so much "opportunity" as "peril."

Microsoft can no longer credibly assert that minimizing user burden is more im- portant than maximizing integrity of operation. The cost of the companys doctrine of "features first" is becoming too great, and users today are far more ready to take on the burden of enabling their machines to do only whats desired: to "deny by default" rather than "enable on install."

Enterprises likewise need to demonstrate determination to take back control of their own technology base, tailoring it to their needs instead of accepting any vendors agenda. And Microsoft needs to think of its users, not its PC OEMs, as its ultimate customers.